Kevin,
Just to add a little to the comments you've already received:
1) After a compromise, you essentially have 2 approaches: One,
cut the box off the network and leave it alone. Call local law
enforcement and the FBI. This approach is used if you wish to
pursue litigation. I should point out that unless you have very
detailed network logging showing times, IP addresses, etc. this
approach will likely be a dead-end.
The second approach is to assume your not going to pursue the
attacker and concentrate on recovery. Assume that everything on
the box is suspect. Re-format and start from scratch, install data
from a good backup. If you don't have a good backup, you will want
to remove all executable programs and replace them with known
good ones, and then hope for the best.
2) If you don't have a good IDS system, including proper log
monitoring on your end systems, you'll almost surely never know
for certain how a box was compromised and more importantly you
won't know what was done after the compromise. You can make
some educated guesses based on what services your running and
what files _appear_ to have changed.
However, there is always a problem that if you have a very clever
attacker, what looks like a very simple script exploit could be a red
herring and the attacker actually installed their own versions of
some obscure executables. If they're clever, the file sizes match,
so you would need to compare known good hash values against
hash values on all of your executables to be sure. This is
obviously a major pain.
In general, I always recommend having an experienced security
person perform a complete audit on a network. This is a lot more
than just doing some remote scanning, its taking a comprehensive
look at services, procedures, backup strategy, etc. The problem is
that these services are usually not cheap (but then again, neither is
recovering from a compromise). If you want a few quick hits:
1) Host security, get a good book on securing your particular host
OS.
2) Application security, look at every app you run and find out what
exploits are out there for that app. You can find a list at many
security sites but http://www.securityfocus.com is a good one.
3) Logging, use whatever logging is available for your OS and send
the logs to an external central server. Logs are usually one of the
first things modified on a system after a successful compromise
and they can tell you a lot IF they are on a trusted machine.
4) File integrity systems such as Tripwire and worth looking into for
public facing servers. They will help you determine what files have
been changed after a compromise.
5) IDS systems can be very useful, but only if they are properly
installed AND monitored. A lot of IDS systems are not properly
setup and not properly monitored, giving a false sense of security.
6) Have a plan. Even the most secure perimeters can be
compromised, having a contingency plan can be the difference
between a quick recovery and not recovering at all. I recommend
"The process of network security" as a good starting book.
HTH,
Kent
On 7 May 2001, at 10:32, Kevin O'Gilvie wrote:
> Apparently over the weekend Poison Box got pass my Pix and overwrote
> some files on the intranet Box and maybe more damage than I know of at
> this Moment. I need help on finding out hjw they got in and how to
> prevent it happeneing in the future. Please help.
>
> Thanks,
>
> Kevin
> _________________________________________________________________ Get
> your FREE download of MSN Explorer at http://explorer.msn.com
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3699&t=3452
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
